Bugtraq mailing list archives
RE: [IE 6 SP2] Possible URL Spoofing
From: "Dror Shalev" <dshalev () finjan com>
Date: Tue, 19 Oct 2004 13:39:12 +0200
<snip>
javascript:document.write("<iframe src='http://www.google.com' width='100%' height='100%'></iframe>");
</snip> If you put <iframe frameborder=0 scrolling=no height=100% width=100% src='http://www.google.com'></iframe> And the Frame become invisible. Dror -----Original Message----- From: Paul Kurczaba [mailto:paul () myipis com] Sent: Saturday, October 16, 2004 4:04 AM To: Andrew Hunter; bugtraq () securityfocus com Subject: Re: [IE 6 SP2] Possible URL Spoofing I realize that while many would be fooled, many wouldn't be, because the frame is very visible; as shown here: http://www.kurczaba.com/images/iespoof.png. Though, as you said, there is probably a way to bypass the homepage verification dialog. It is just a matter of time :) Just my 2 cents, Paul ----- Original Message ----- From: "Andrew Hunter" <andiroohunter () msn com> To: <bugtraq () securityfocus com> Sent: Friday, October 15, 2004 5:50 PM Subject: [IE 6 SP2] Possible URL Spoofing
Program: IE 6 Sp2 Version: 6.0.2900.2180.xpsp_sp2_rtm.040803-2158 OS: Windows XP Home SP2 I was just messing around with IE, playing with JavaScript. It's a well known fact that IE lets you run javascript from the
address
bar: e.g Type the following into the address bar: javascript:alert('IE
Sucks Go
Get
FireFox');document.location="http://www.mozilla.org/products/firefox/";
That address will display a message box and then take you to the
firefox
download page. I then started to wonder what would happen if i set a similar address as my homepage. So i went and did exactly that. It
was
ammusing to see IE display "You Smell" when i clicked the homepage
button.
I closed IE, and just dismissed the idea. Later on when i clicked the
IE
logo i heard the sound that windows makes when a message box is
displayed.
I couldn't see anything and IE failed to open. I pressed Ctrl-Alt-Del and just caught a glimps of it closing. I experimented more with setting the homepage to different things when
i
came accross this: javascript:document.write("<iframe src='http://www.google.com' width='100%' height='100%'></iframe>"); I went to www.slashdot.org and pressed my homepage button. Lo and
behold
google appeared on my screen and the address was still
www.slashdot.org!
I couldn't find any JavaScript to auto set this as the homepage
without
asking the user to varify this, but i think there may be other ways in
which this hole can be exploited! _________________________________________________________________ Want to block unwanted pop-ups? Download the free MSN Toolbar now! http://toolbar.msn.co.uk/
----------------------------------------------- This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)
Current thread:
- [IE 6 SP2] Possible URL Spoofing Andrew Hunter (Oct 15)
- Re: [IE 6 SP2] Possible URL Spoofing Paul Kurczaba (Oct 18)
- <Possible follow-ups>
- Re: [IE 6 SP2] Possible URL Spoofing http-equiv () excite com (Oct 18)
- RE: [IE 6 SP2] Possible URL Spoofing Dror Shalev (Oct 19)